Development of a Model for Applying Correlation Cryptanalysis to Filtering Generators

Home , Correlation immunity, NESSIE

NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020 DEVELOPMENT OF A MODEL FOR APPLYING CORRELATION CRYPTANALYSIS TO FILTERING GENERATORS

ABDURAKHIMOV BAKHTIYOR FAYZIEVICH Professor, Doctor of Physics and Mathematics, National university of Uzbekistan, +998935143137, [email protected]

BOYKUZIEV ILKHOM MARDANAKULOVICH PhD Student, National university of Uzbekistan, +998909779300, [email protected]

SHONAZAROV SOATMUROD KULMURODOVICH Teacher, Termez state university, +998996760166, [email protected]

ZIYAKULOVA SHAKHNOZA ABDURASULOVNA Teacher, Termez state university,

+998905208923, [email protected] ABSTRACT: Proposed mathematical model and This article is devoted to problems of software can be used for estimation of cryptanalysis. Cryptographic analysis stability of the algorithm of the flow crypto results, got from using of correlation operation to correlation cryptanalysis, as cryptanalysis method to algorithm of the well as in scholastic purpose. flow crypto operation, founded on register of KEYWORDS: cryptanalysis, stream ciphers, the shift with feedback, were presented in shift registers, LILI-128, filtering, work. For estimation of the flow crypto correlation operation algorithm’s crypto stability by correlation cryptanalysis method, number INTRODUCTION: of important tasks was defined, purposes and problems of the study were determined. Ensuring information security requires As a result of defined tasks decision, relatively fast cryptographic tools, not only as mathematical model and software of the exchange of documentary information correlation cryptanalysis method to flow transmitted over the network increases, but crypto operation to filtering LILI-128 – were also as the exchange of multimedia, that is, video developed. Results has shown, that and audio, increases. Therefore, the use of characteristic of correlation immunity of stream encryption algorithms in local and global filtering functions, used in filtering networks has become an urgent problem[1,2]. generator, provide stability to correlation When analyzing stream encryption cryptanalysis method. Execution with big algorithms, in contrast to block encryption probability of stat-analogical function, algorithms, although many original ideas and defined in process of cryptanalysis, raises directions for creating stream encryption the efficiency of cryptanalysis. cryptographic algorithms were developed in this area, there is no single way to express270 | Page their commonality[3]. NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020

Therefore, it is important to conduct research in the field of continuous encryption algorithms and modern methods for assessing their cryptographic strength. Due to the design features of continuous encryption algorithms, the most common type of attack is a correlation attack. If a non-linear function transfers information about its internal components to the output, the work required to open such a system is greatly reduced. However, such a function is always available[4]. According to this axiom, correlation attacks use the correlation between a sequence leaving an st nd Figure 1. Scheme of 1 and 2 generators encryption scheme and a sequence leaving i1 i2 ik l(x) = x ⊕ x ⊕ … ⊕ x ⊕ b depending registers[5,6,7]. METHODOLOGY: on the value of the free variable b (b =0 ва b = 1)nd 2.0 Correlation cryptanalysis method for in linear stanology, the operation of the 2 filter generators generator can be expressed using one of the schemes shown in the figure 2. There are several methods of correlation cryptanalysis applied to continuous encryption algorithms based on filter generators. Underlying these approaches is the use of linear statanalogs of the filtering function. Suppose that in a filter generator there is a linear feedback shift register of length n, 1 n n 1 1 n φ(x ,...,x ) = c x ⊕ … ⊕ c x is the feedback n n 1 function of the register, C(D) = c D ⊕ … ⊕ c D nd ⊕ 1 is its characteristic multiplication, and f 1 n Figure 2. Operating∞ status of 2 generator (x ,...,x ) is a filtering function, let the linear ij i1 i2 The series S } are different recurrence statanology of the function f(x) be l(x) = x ⊕ x ik sequences formed by one shift register with a 1 n ⊕ … ⊕ x ⊕ b . The probability that the feedback function φ(x ,...,x ), length n. From the function f (x) and its statonology coincide with known results on the linear complexity of the l(x) is: Prob{f(x) = l(x)} = 1/2 + a/2 [5]. Where sum of linear recurrence sequences and the – is the maximum value of linear complexity of inverted sequences, it can the normalized modulus of the Fourierst be seen that the length of the sequence {y’(t)} is coefficient. We call this given generator 1 n, and the feedback function is still equal to 1 n n 1 1 n generator. Filter generator with a similar shift φ(x ,...,x ) = c x ⊕ … ⊕ c x or length n + 1 and register, but with a filter functionnd l(x). This multiplication of the characteristic n n+1 n n-1 n n-1 n-2 n- generator is called the 2 generator. The C’(D) = c D ⊕(c ⊕c )D ⊕(c ⊕c )D 1 2 1 2 1 following symbols {y(t)} and {y’(t)} denote the ⊕…⊕(c ⊕c )D ⊕(c ⊕1)D⊕1 (1) i output sequences generated by the generators 1 which is made using offset sizes. Where c is the 1 n and 2, respectively, when the initial filled state coefficient of the feedback φ(x ,...,x ) function. is the same (Figure 1). 271 | Page

NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020

Thus, instead of the 2nd generator, we can take before. In this case, therd bits of the output a look at the equivalent 3-generator (Figure 3). sequence {y’(t)} of the 3 generator correspond

Therefore, in the case b = 0, the register length to the bits of the-m sequence {y(t)} with a is L=n, and the feedback function is φ’(x) = φ(x), probability of 1 – 2 . In this case, assuming that and in the case b = 1, the register length is all 2n bits of the sequence {y(t)} correspond to

L=n+1, and the coefficient of the feedback bits of the sequence {y’(t)}, we can construct rda function C’(D) is determined from the feedback linear displacement registerst (3 characteristic coefficient of thend polynomial. generator) at the output of the 1 generator.

Then rd the output sequences of 2 generators Then this generator is used as a decoder with-m and 3 generators coincide and are equal to the correct decryption probability of 1 – 2 .

{y’(t)}, and then the following equation holds forst Therefore, if the function f(x) hasst certain the elements of nd the output sequences of 1 properties, the operation of the 1 generator generators and 2 generators: Prob{ y(t)= y’(t)} can be completely restored, that is, the unknown = 1/2 + a/2. feedback function and the initial state of the register can be determined. As a rule, to assess the reliability of the continuous encryption algorithm, the cryptanalyst is informed about the gamma sequence and internal structure of the generator, which come from a generator of a certain length. That is, the length of the register used in the generator, the feedback, and the Figure 3. Scheme of generator 3 appearance of the filter function are known. If the 1st generator is used to encrypt Based on this, using the two above some “ordinary” information and the parameter approaches, the method of correlation а is large enough, the 3rd generator can be used cryptanalysis is applied to the filter generator as Example 1. as a decoder, and errors can be eliminated follows. depending on the capabilities of the language. Let the above 1 be a Consider a situation that has the form: generator (Figure 4). It is known that this The feedback function of the above approach generator has an offset register of length 7 and st 1 n the 1 generator φ(x ,...,x ) is unknown, and the a filter function f(x) as follows: 1 1 2 3 4 5 6 7 filter function f(x) is as follows: f(x ,...,xn) = f(x) = x ⊕ x * x * x * x * x ⊕ x 1 2 m m+1 m+2 n. x *x *…*x ⊕ x ⊕ x ⊕…⊕ x The φ feedback function is as follows: 1 7 1 2 3 6 Where m ≤ n, n is the length of the displacement φ(x ,…,x ) = x ⊕ x ⊕ x ⊕ x dimensions. The linear statonology of the The initial filled state of the generator is m+1 n m+1 function f(x) is the function l(x ,…,x ) = x ⊕ unknown. m+2 n x ⊕…⊕ x with the probability-m of coincidence Prob{f(x) = l(x)} = 1 - 2 . In particular, for m ≥ 5, the probability is Prob{f(x)

= l(x)} > 0,969. st Thus, if the filtering function f(x) in a 1 generator is replacednd by its linear statistical analog,rd the resulting 2 generator is equivalent to a 3 generator, i.e. there is an n-length shift register with the same feedback function as Figure 4. Filtering generator272 | Page

NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020

nd However, at least 14 consecutive bits of The output bits of the 2 generator the output sequence {y(t)} are specified, let be: sequence y’(t) are calculated using a linear filter 1 7 00101001110010. The purpose of the analysis l(x) = x ⊕ x . is to find the initial state of the register. Thus, the following system of equations The linear statanology of the filter (4) is suitable: 1 7 function f(x) is the function l(x) = x ⊕ x . Since x0 ⊕ x6 = 0; m = 5 for this function, the probability of x1 ⊕ x7 = 0; matching the filtering function f(x) and its linear -m -5 x2 ⊕ x8 = 1; statanology is P{f(x) = l(x)} = 1–2 = 1 – 2 ≈ 3 9 0,969. In this case, the length of the register of x ⊕ x = 0; (4) the generator 2 corresponds to the length of the x4 ⊕ x10 = 1; register of the generator 1, which is equal to 7. x5 ⊕ x11 = 0; Therefore, the bit of the output sequence of the nd x6 ⊕ x12 = 0. 2 generator {y’(t)} corresponds to the Выражая значения x7 ,…, x12 через x0 ,…, correspondingst bit of the output sequence of the- 6 51 generator {y(t)} with a probability p = 1 – 2 x , можно создать следующую систему

≈ 0,969 . nd уравнений (5): Feedback function of the 2 generator is 7 0 1 2 5 1 7 1 2 3 6 x = x ⊕ x ⊕ x ⊕ x ; φ(x ,…,x ) = x ⊕ x ⊕ x ⊕ x . Accordingly, its x8 = x1 ⊕ x2 ⊕ x3 ⊕ x6 ; characteristic multiplicity is as follows: 7 6 5 2 9 2 3 4 7 2 3 4 0 1 C(D) = D ⊕ D ⊕ D ⊕ D ⊕ 1 (2) x = x ⊕ x ⊕ x ⊕ x = x ⊕ x ⊕ x ⊕ x ⊕ x 2 5 3 4 0 1 5 In this case, it is possible tost completely ⊕ x ⊕ x = x ⊕ x ⊕ x ⊕ x ⊕ x ; restore the full operation of the 1 generator, x10 = x3 ⊕ x4 ⊕ x5 ⊕ x8 = x3 ⊕ x4 ⊕ x5 ⊕ x1 ⊕ x2 that is, the initial state of the registers. To do ⊕ x3 ⊕ x6 = x4 ⊕ x5 ⊕ x1 ⊕ x2 ⊕ x6; this, it is used to coordinate the entire internal nd 11 4 5 6 9 4 5 6 3 4 state of the shift register in the 2 generator x = x ⊕ x ⊕ x ⊕ x = x ⊕ x ⊕ x ⊕ x ⊕ x (including the initial filled state) with the ⊕ x0 ⊕ x1 ⊕ x5 = x6 ⊕ x3 ⊕ x0 ⊕ x1; (5) 12 5 6 7 10 5 6 7 10 5 correspondingst internal state of the register in x = x ⊕ x ⊕ x ⊕ x = x ⊕ x ⊕ x ⊕ x = x the 1 generator. The sequence leaving the 2nd ⊕ x6 ⊕ x7 ⊕ x4 ⊕ x5 ⊕ x1 ⊕ x2 ⊕ x6 = generator is the sequence {y’(t)}. In this case, all 7 4 1 2 0 1 2 5 4 14 bits of the sequence {y’(t)} correspond to the = x ⊕ x ⊕ x ⊕ x = x ⊕ x ⊕ x ⊕ x ⊕ x ⊕ x1 ⊕ x2= x0 ⊕ x5 ⊕ x4. corresponding bits of the sequence {y(t)}, andnd corresponds to register filling in the 2 t t+1 t+6 generator at time t x(t) = (x , x ,…,x ), we get: t t+1 t+6 t t+6 y(t) = y’(t) = l(x(t)) = l(x , x ,…,x ) = x ⊕ x (3) However, for all t > 6, the following recurrence expression is suitable in accordance 1 7 1 2 3 6 t t-7 with φ(x ,…,x ) = x ⊕ x ⊕ x ⊕ x : x = x ⊕ t-6 t-5 t-2 x ⊕ x ⊕ x . The result is a system of linear equations 0 6 st that determines the initial values x , ... , x of 1 nd and 2 generators. Figure 5. Generator filter’s structure 273 | Page

NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020

As a result, we have a system of linear generated from the original generator at the 0 6 equations (6) that connects the values x , ... , x same time. In this case, the internal state of the t t+1 with the initial signs y’(t). displacement register at time t is X(t) = (x , x , t+n-1 t t x0 ⊕ x6 = 0; …, x ), and the resulting sequence is y = f (x , t+1 t+n-1 0 2 5 x , …, x ) = f (X(t)). x ⊕ x ⊕ x = 0; t+1 t+2 t+n In this case, the vector X(t+1) = (x , x , …, x ) x1 ⊕ x3 ⊕ x6 = 1; corresponding to the internal state of the 0 1 4 5 x ⊕ x ⊕ x ⊕ x = 0; (6) register at the next instant of time is related to x1 ⊕ x2 ⊕ x5 ⊕ x6 = 1; the vector X(t) by the following relation: X(t+1) t+1 t+2 t+n x0 ⊕ x1 ⊕ x3 ⊕ x5 ⊕ x6 = 0; = (x , x , …, x ) = А* X(t). Where the matrix A (n x n) looks like this: x0 ⊕ x4 ⊕ x5 ⊕ x6 = 0. Solving these equations, unknown values 0 1 2 can be determined as follows: x = 1, x = 1, x = 3 4 5 6 1, x = 1, x = 0, x = 0, x = 1. Therefore,st the initial position of the shift register in the 1 generator is (1111001). After checking, can see that the result is correct. As a result, the initial circuit of generator 1 will be as shown in Figure 5. (7) 2.2 Using correlation immunistic function in Then X(t) = А* X(0), where X(0) is the initial filter generators state of the shift register. 1 n Therefore, g(x ,...,x ) is a construction of The use of the correlation-immune a function that is not related to correlation, and function as a filtering function in filtering the initial state of the register can be chosen so generators does not significantly affect the that a filter generator with the same offset sizes 1 n complexity of cryptanalysis. This is because and filter function g(x ,...,x ) creates the same Theorem 1. filter generators use a single register. sequence as the original generator. To do this, Assume that the key current we need to find a matrix D of size (n x n), firstly, generator is a filter generator that uses the this matrix must be connected with the-1 matrix Boolean function of correlation immunity as a А, and secondly, the function f (D X), X = 1 n filter function. In this case, it is possible to create (x ,...,x ) is not must be correlation-immune. As a filter generator that has the same shift register such a matrix, we can choose a polynomial (that is, the register length and feedback matrix from the matrix: 0 1 2 2 k k function are the same), but the filter function is D = d E + d A + d A + … + d A . (8) not correlation-immune, in which the developed In this case, we consider a filter sequence corresponds to the output sequence generator with the same shift register as before, 1 n -1 from the primary generator (initial state but with the filter function g(x ,...,x ) = f (D X) Proof. register will be different) [5]. and the initial state X’ = D*X(0). If we define the Suppose that the length of the internal state vector of the generator generated register of the primary generator is n, the by X’(t) at time t, then X’(t) = D*X(t). Since both 1 n n 1 1 n feedback function is φ(x ,...,x ) = c x ⊕…⊕ c x , generators use the same feedback function and 1 n t and the filter function is f (x ,...,x ). x is the state the matrices A and D are interconnected, we cant in which the first register cell is filled at time t, obtain thet* followingt equation: X’(t) = A t *X’(0)=A D*X(0)=D*A *X(0)= D*X(t). The y is the symbol of the output sequence 274 | Page output sequence of the new generator at time t NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020

t -1 -1 is: z = g(X’(t)) = f (D X’(t)) = f (D DX(t)) = f function includes values in 10 cells (0, 1, 3, 7, 12, t d (X(t)) = y . 20, 30, 44, 65, 80) of the LFSR register. As we can see, both generators work the The LILI-128 algorithm participated in same way, so cryptanalysis of the second the NESSIE European competition, in which it generator (with the function of non-immune was found that the complexity of its evaluation correlation filtering) leads to cryptanalysis of by the method of correlation cryptanalysis is 71 the primary cryptosystem. 2 . To carry out the method of correlation 2.3 Correlation cryptanalysis method for cryptanalysis discussed above and to obtain algorithm LILI -128 certain results, we work without looking at the subsystem for controlling the movement of the The LILI-128 algorithm is a continuous circuit. synchronous cipher based on classic controlled Since the filter function of the LILI-128 shift registers[5,12]. The generator can be algorithm is hidden, we must choose the filter divided into two subsystems based on the function ourselves. The degree of nonlinearity functions they perform: the clock control of this filter function must be non-zero. The subsystem and data generation subsystem. reason is that if the degree of non-linearity of

the function is zero, its initial state can be LFSRс LFSRd determined, since the number of registers is

equal to one. For this reason, the degree of

nonlinearity as a filtering function is different

from zero, and it is recommended to use a c( z( fс fd correlated immunistic function. One of these t) t) functions is the following function: 9 24 45 59 49 77 82 86 f(x) = x ⊕ x ⊕ x * x * x * x * x * x * 88 89 x ⊕ x Clock control Data Generation Therefore, in this case, the method of correlation cryptanalysis for the filter generator can be applied in the sequence of steps

described in Example 1. RESULTS: Figure 6. Overview of LILI-128 keystream generators Summarizing the above results, in general, c The length of the control register is L = we can propose a model for applying the c с 12 20 39 bits, f - the function is as follows: f (x , x ) method of correlation cryptanalysis for filtering 12 20 = 2(x ) + x + 1 stream encryption algorithms. c The feedback polynomial of the LFSR is 39chosen35 In general, the method of correlation to be33 the31 primitive17 15 polynomial:14 2 h(x) = х + x cryptanalysis for filtering stream encryption + x + x + x + x + x + x + 1. algorithms is based on the following sequence of d d Step 1. The length of the LFSR register is L = 89 steps: d bits, The feedback polynomial89 83 80of LFSR55 is53 given42 The combination function used in as follows::39 h(x) = x + x + x + x + x + x the continuous encryption algorithm is the + x + x + 1. degree of nonlinearity. If the nonlinearity level The filtering function of the LILI-128 is zero, the function used is considered algorithm is kept secret. The input to the filter intolerable. Otherwise the second step275 is | taken;Page

NOVATEUR PUBLICATIONS JournalNX- A Multidisciplinary Peer Reviewed Journal ISSN No: 2581 - 4230 VOLUME 6, ISSUE 5, May -2020 Step 2.

The correlation immunity levels 3) Xarin Y.S., Bernik V.I., Matveyev G.V., of the combining function used in the Agiyevich S.V. Mathematical and computer continuous encryption algorithm are. If the foundations of cryptology: a Training correlation immunity level is zero, the function manual. - Minsk, LLC New knowledge, used is considered intolerable. Otherwise 2003. - 382 p. proceed to the third step; 4) Asoskov A.V., Ivanov M.A. Stream ciphers, Step 3. M: Kudits-Obraz, 2003, 336 p. All available statanalog functions 5) Gorbenko I.P., Potiy A.V., Izbenko Y.A. of the combinatorial function are searched. Analysis of stream encryption schemes Statanalog is selected from the features that are presented at the NESSIE European contest. linear; Harkov National University of Radio Step 4. Electronics, 2005. - 17 p. Using the statanalog function as a 6) Jukov A.YE. Strength analysis of stream filtering function, a system of linear equations is encryption systems. The manual on the constructed using the known gammas and course "Cryptographic Methods of feedback polynomials; Protecting Information." Moscow State Step 5. Technical University. 2003.– 23 p. By solving a system of structured 7) Stasev Y.V, Potiy A.V, Izbenko Y.A. The linear equations, the initial state of the register study of cryptanalysis methods for stream is determined. ciphers. Taganrog: Izvestiya TRTU, 2005, - CONCLUSION: 250 p. 8) Akbarov D.YE. Cryptographic methods of In general, several factors influence the information security and their application. application of the method of correlation - Tashkent, “Uzbekistan Markasi” cryptanalysis to continuous encryption publishing house, 2009. - 432 p. algorithms with a filtering generator. 9) Ivanov M. Cryptographic methods of The use of the correlation immunization storing information in computer systems function as a filter function in filter generators and networks. - M., «Kudits-Obraz», 2001, - cannot completely exclude the implementation 368 p. of the correlation cryptanalysis method. 10)Babenko L.K, Ishukova YE.A. Differential The use of the immunization function with cryptanalysis potochnix cipher. Izvestiya non-zero correlation in filtering generators YuFU, 2009. 232 - 238 p. increases the generator's resistance to the 11)Shnayyer B. Applied cryptography. method of correlation cryptanalysis. Protocols, algorithms, source texts in C REFERENCES: language. - M., Ed. TRIUMPH, 2003 .-- 816

1) Stallings V. Cryptography and network 12)http://www.cryptonessie.org. protection: principe and practice. - M., Ed. 13)http://www.cryptography.ru.

Williams House, 2001. - 672 p. 2) Shannon K. Communication Theory in Secret Systems // In the book. Works on information theory and cybernetics. - M., IL, 1963. 276 | Page